What’s The Future of Cybersecurity?

06/05/2017 11:51 am ETUpdated
Sep 28, 2017

As we become increasingly dependent on technology in our daily lives we open ourselves up to an entirely new kind of threat, cyberattacks.

While in the late 90s and early 2000s cybersecurity went as far as your company’s IT guy, today it’s a multi-billion dollar global industry that is expected to top $1 trillion by 2020. Whether it’s an email scam targeted at individuals or corporate data theft affecting millions of people at one time, the rise in cyberattacks and their increasing reach has made cybersecurity a very hot topic.

When we started thinking about cybersecurity and where it’s heading, one of the first issues brought up was the internet of things. Someone tampering with your computer while you’re surfing the web is an inconvenience, but what about someone hacking into your car while you’re driving down the highway?

So, in an effort to ease our fears and gain a better perspective we decided to ask a group of cybersecurity experts…

What’s the future of cybersecurity?

“In 10-15 years, we will be deep in a ‘war of the machines’ era with advances in artificial intelligence bringing fast and sophisticated execution of security defense and cybercrime. This will be a battle of AI vs AI.The availability of low cost computing and storage, off-the-shelf machine learning algorithms, AI code and open AI platforms will drive increased AI use by the good guys to defend and protect – but also increase deployment of AI by the bad guys. There will be sophisticated attacks launched on a grand scale, quickly and intelligently with little human intervention, that compromise our digital devices and web infrastructure.Cybercriminals will create fully autonomous, AI-based attacks that will operate completely independently, adapt, make decisions on their own and more. Security companies will counter this by developing and deploying AI-based defensive systems. Humans will simply supervise the process.”

“Employers will look further outside of IT for tech talent. Organizations aren’t just looking for the standard computer engineer anymore. While they still need the engineers, the developers, data scientists and the technological tools to write, pull and track data, the need to have professionals who can make sense of all of that data and communicate it back to the executive team in business terms that they can understand is becoming increasingly important. How someone is able to present technical information and frame it as a business problem is going to be in high demand. We will see more organizations looking outside the traditional skill set to cultivate the next generation of cybersecurity professionals.”

“A big trend I see is a focus on service resilience, i.e., making it so that a DDoS can melt one provider or one datacenter, but your service will automatically migrate to another site that can serve the same content. Expect resilience, as opposed to prevention, will become more talked about.”

“We can expect the unexpected. I never would have predicted last year that we would be talking about the DNC and hacking of elections. Expect new trends to come out of left field. Ransomware will be on the upswing and evolve in new unforeseen ways. It will be more targeted and focus on more valuable targets as we saw with healthcare. And it will continue to attack new, more damaging industries like we recently witnessed with San Francisco BART and Muni. Like the attacks with Krebs and Dyn, DDoS is coming back in a big way. Thanks to the proliferation of insecure things on the Internet, the risk of crippling cyberattacks will only increase.”

“Blockchains are moving from the realm of just fueling cryptocurrencies like Bitcoin to providing smart contracts, identity management, and multiple ways of proving integrity of data. They may also hold the key to defending against IoT attacks.

Quantum computing will have possibly the biggest impact within 10 years. Most over-the-wire encrypted transmissions collected over the next decade will be readable, and even private keys will be reversible from public blockchains (for example, you can spend someone else’s Bitcoin). Post-quantum safe crypto will be a must.

AI will be used to identify hacking flaws and patch them to stay ahead of malicious attackers.”

“The top challenge for cybersecurity isn’t preventing data breaches, stamping out ransomware, or preventing ever-more-massive DDoS attacks, it is securing our digital privacy. 2017 and the years to come will dictate the future of cybersecurity, and most importantly human privacy. Digital threats have evolved quickly and can wreak havoc on our lives, endangering our personal privacy and the privacy of those around us.

To tackle this important issue, we need the national government to take a stance on what our digital privacy is. Is it an immutable human right? If so, there needs to be explicit legislation that goes beyond what is currently in place. It needs to protect each and every citizen and hold those who might put our privacy in jeopardy accountable for their actions. This will be the most important cybersecurity decision in the next year and it will shape the security landscape for years to come.”

“The future that I see is Universal Second Factor Authentication as standard on all logins that contain sensitive information. U2F is similar to Two Factor authentication (2FA) but more secure.

Whilst 2FA is better than nothing, it is inherently insecure. The most popular methods like Time-based One-Time Password (TOTP), used by offerings like Google Auth services, transmit a shared secret master key) over the internet during the setup process.

This weakness is now being recognised more than ever with companies like Dropbox partnering with Intel on U2F after their hacking issues last year. Universal Second Factor (U2F) outperforms 2FA because it never reveals sensitive information.

* No shared secret (private key) is sent over the internet at any time.

* No sensitive or confidential information shared due to public key cryptography.

* It’s easier to use as there is no retyping of one-time codes.

* No personal information is associated with the secret key.

Because there is no secret shared and no private databases stored by the provider, a hacker is not able to steal the entire database to get access. Instead, they would have to target individual users, and that is much harder.”

“There will be a shift in the basic human feelings of security as crime becomes more focused on the cyber domain. New threat models will arise, and cyber criminals will get their inspiration from the IT world (ransomware, APTs, and more).

One major target area will be vehicles. With every car now connected, each one is a potential target. Vehicles are controlled by Electronic Control Units (ECU), and cyber security will become an integrated part of every ECU, just as security is embedded in any PC or organizational network. Consumers will see it as standard just like seat belts, ABS, and other automotive safety elements.

This will also change whole industries. For example, insurance models will shift from covering the decreasing number of car accidents, and instead focus on data breaches and accidents that are a result of bugs or hacks.”

“While the lone hacker will disappear in favor of ever more organised cyber criminals, the net threat to organisations will remain neutral as the industry-wide information security skills shortage will narrow due to an improved focus within the educational establishment, as well as top salaries being paid to the best quality professionals.

Hacktivism will become a bigger headache for politicians, however, as the march of globalization leaves more and more people feeling disenfranchised and powerless to be heard through conventional means.

The key business threats today will be the key threats of the next two decades as well. While unsophisticated, phishing attacks will always be a cheap and effective money-generating threat and ransomware’s use of encryption will make it hard to discount any time soon.

Beyond that, the one certainty is that information security will, and always will be, a reactive solution to all new emerging threats.”

“The multi-million dollar ransomware industry has grown and will continue to grow with amazing speed in the years to come, thanks in part to the spread of untraceable cryptocurrency such as Bitcoins and the proliferation of ransomware kits on the dark web, which allow anybody, even script kiddies with no programming skills, to put together and reap the financial rewards of ransomware attacks.

Ransomware is increasingly targeting organizations in the financial and healthcare industries. These organizations often have thousands or even tens of thousands of gigabytes of customer/patient data they cannot afford to lose–which makes them all the more willing to pay handsomely to get their data back at any cost.”

“CISOs will drive cybersecurity as a strategic and integral part of the greater organization and will switch their solutions to those that properly protect against advanced attacks, seeking out technologies monitoring the entire threat life cycle – from initial malware delivery to callbacks and data exfiltration.”

“IoT will overtake everything else in connected devices and not only will be the most hacked stuff, it will continue to be the hardest to protect. This will turn cybersecurity on its head because security on all IoT is terrible, and totally opaque to users. It’s take it or leave it. You can’t harden the devices after the fact. You can’t even log into them. You just have to hope they are secure and your perimeter can stop all attacks.

Building secure, hardened IoT devices from the start is ultimately the best solution. One new challenge will be that IoT devices will have encrypted connections (or they should!). It will be effectively impossible for any network based device like a firewall to see inside that session. There are some SSL/TLS interception methods that can be used, but that requires the devices to trust the interception device. Harden your IoT now.

“It used to be that security concerns were the biggest impediments to Public Cloud adoption. But, in 2017, that will no longer be the case. It is widely accepted that security in Public Clouds is strong, shifting the top concern to compliance. Organizations moving to the cloud need to be able to demonstrate and provide assurance that they are doing things in a secure and compliant manner. So, whether it is PCI, HIPAA, NIST-800 53 or internal compliance standards, organizations need to be able to demonstrate that they can maintain compliance throughout the fast-pace of change that takes place in the Cloud. To solve this, they will have to turn to security and compliance automation solutions that will help them measure and report with ease.”

“Crown jewels” in the cloud. Enterprises will also move beyond using the public cloud solely for test/dev or burst capacity purposes. And again, because they want to benefit from the elasticity and the capacity on demand the cloud has to offer, they will now be looking to leverage IaaS for hosting always-on, mission-critical, Tier-1 applications—aka the crown jewels.”

“The future of cyber security in 15 years is on the one hand going to sound like science fiction, and on the other hand sound like it’s all still today. Technically, you will see massive developments in AI/machine learning, human/machine interface and hundreds of billions of IoT devices.

AI’s will be hacked and subverted, which will require a new breed of “AI Auditors” who will test AIs for ethical behavior. With neural interfaces, cyber criminals will be able to feed false data direct into someone’s brain, and people need to be trained to recognize this and not act on it. IoT devices will be smart enough to provide limited AI functions, but those again are suspect and could easily be hacked.

People will still be social engineered like they are today, and only require more and more sophisticated training to recognize hacking attempts.”

“If you had asked me 15 years ago, if some companies would still be using IBM AS400 mainframes to run business applications, I would have thought you were crazy. As we look 10-15 years forward at the cyber security landscape, I think the big assumption we can make is that history will continue to repeat itself. We will have a legacy environment that will be difficult to protect because of outdated, no longer supported hardware and software, maybe even still the IBM AS400. I am 100 positive, the cutting-edge computing environment, potentially quantum computing, again, will NOT be designed with security. As a result, we will have to figure out how we retrofit a security framework on something not designed to be protected. The good news is that I believe Artificial Intelligence and Machine Learning will actually start yielding capabilities that will finally provide real help in defensive operations.”

“Cybersecurity is getting complex as the number of cyber threats are growing. The Internet of Things (IoT) is bound to add mountains of challenges for cyber security. There are more and more cyber specialists who are starting to search for a more mature approach to identify and deal with cyberattacks.

Most of the tools that are used are only capable of identifying threat signatures. As they do this, the tools try to identify a pattern that has been used in previous attacks. But these tools or approaches fail to identify the new threats.

Therefore, experts feel that one of most efficient ways to manage the looming threats, in the days to come, is through analytics and automation. The premise is to identify the cyber risks and intrusions, and detect attacks, with the help of predictive analytics. The ideal cybersecurity future environment will offer a combination of complex human and machine intelligence, automated and analytics-driven alerts and an effective security mechanism.”

“There will be a shift in focus from broad-based attacks to more targeted attacks against specific firms or individuals. The best evidence of this is the IP theft against law firms, insider spoofed spear phishing to finance and HR people, ransomware targeting healthcare after methodist paid out.”

“The one size fits all security paradigm will disappear. The old-school (useless) compliance mandates per vertical – FISMA for financials, HIPAA for healthcare etc. will disappear. Vendors will no longer be able to provide a product or service that is uniformly accepted (or reviled) by consumers or enterprises. Instead a new form of customized security will emerge. This will be based on a combination of end customer’s self-assessment of risk tolerance and machine learning based on that customer’s public past history and industry best practices – and voila a risk score will be attributed to the customer. This score will be the barometer to deliver a ‘custom’ security solution to the end customer by vendors. Vendors will be able to choose which risk scores they are able to fulfill and that becomes their target customer base. End of story.”

“Many traditional concepts will be hopefully gone. Perimeter security, storage-only encryption, access control based on privilege records, authentication that relies on one strong factor, DMZ – they will fade out or vanish completely.

Many new techniques will arise through machine learning and weak AIs, especially in intrusion detection and making sense of large-scale monitoring and signal analysis. Many new techniques will arise from advancements in cryptography and collective effort to eliminate poor cryptography. Still, we will have snake-oil products and systems.

Attackers will still be ahead of the game because security is asymmetric in effort and success criteria between attacker and defender.

With proliferation of IoT and a bunch of computers in every device, the damage will get physical. Growing complexity of real-world processes, intertwined with complexity of security protocols protecting them, will lead to many new challenges in practical use cases for security tooling.”

“New applications and services are released every day, but the backbone infrastructure has stayed the same for a very long time. We are at a point where patching the system with add-ons is not good enough – we need a rebuild to get to the next level, to be able to guarantee the service that we are so dependable of, address crime and guarantee fundamental security. There is no longer a reason for most traffic to be unsecure and unauthenticated on the Internet.

The IoT and IA trends are still in early stages and will continue to grow rapidly, but so far with very little concern about security. Until we address these issues, I see an exceptionally bright future for the cybersecurity and IAM industry!”

“Smart-connected home device shipments are projected to grow at a compound annual rate of nearly 70% in the next five years, and are expected to hit almost 2 billion units shipped in 2019—faster than the growth of smartphones and tablet devices. Given the diversity of operating systems and lack of regulation for these smart devices, there will be more large scale hacking attacks due to IoT device compromises. Wi-Fi and Bluetooth networks, however, will become polluted and clogged as devices fight for connections. This will, in turn, push mission-critical tasks to suffer.

However, the likelihood that a failure in consumer-grade smart devices will result in physical harm is greater. As more drones encroach on public air space for various missions, more devices are used for healthcare-related services, and more home and business appliances rely on an Internet connection to operate, the more likely we will see an incident involving a device malfunction, a hack, or a misuse that will trigger conversation on creating regulations on device production and usage.”

“Over the next ten years, better cyber security orchestration will augment gaps between AI and human incident response. Current SIEM and IDS systems without AI create too much noise for humans to filter, and straight AI cannot differentiate threats well enough to take accurate automated action. AI and Deception Technology will be used in conjunction with well-trained human security specialists to respond to perceived threats on the fly.

The current time-to-detection of a security breach is 203 days. Time-to-detection will be lowered to seconds by companies that embrace human and AI orchestration. Breaches will continue to occur at unacceptable rates until regulations force threat hunting and advanced incident response activities. March 1st, 2017, the New York Department of Financial Services passed cyber regulations that are meaningful but aren’t overly burdensome. Over the next ten years, I see similar laws passing, forcing better cyber security.”

“Over the next decade, the biggest security risk I see is relying on perimeter-based technology to keep data “locked in” the enterprise. I hear security teams voice concerns with “sensitive data leaving the company” and the need to keep it protected. To improve privacy and confidentiality, we must first shift our focus from securing the perimeter–the network, applications, and endpoints–and focus on protecting data directly.

Secondly, we need to adopt intelligent and automated security systems. Automation means investing in tools that automatically secure data based on location, context, the recipient, the user’s identity, and more importantly, tools that don’t require constant human interaction. We simply cannot rely on employees or our partners to do the right thing.

Finally, we must start protecting the integrity of data. Without proper encryption, access control or identity-aware systems in place, we leave ourselves open to having information manipulated in malicious ways.”

“From being in the industry for over 20 years, you must differentiate between threats, controls and how you identify, select and manage both. The core threats haven’t changed much: they’re about getting someone with access to something you want to help you get it. What’s changed is the way that happens.

Technology change enabled new access paths and a dramatic increase in attacks, but fundamentals are the same. Regrettably, the core approach to managing cyber risk has hardly changed at all. This is where the biggest changes should take place, but it’s hard to say if it actually will.

Unfortunately, I expect the industry to continue to put too much emphasis on technical aspects and not enough on how to protect the businesses and people at risk. Technology is sexy and easy to identify. Risk management and organizational change are much harder, but that’s where the focus must be.”

“Organizations will need to place a focus on shifting from promoting awareness of the security “problem” to creating solutions and embedding information security behaviors that aﬀect risk positively. The risks are real because people remain a ‘wild card’. Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure ‘the human element’ of information security. In essence, people should be an organization’s strongest control.

Instead of merely making people aware of their information security responsibilities, and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in “stop and think” behavior and habits that become part of an organization’s information security culture. While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real commercial driver should be risk, and how new behaviors can reduce that risk.”

“It’s great that we are able to even have a discussion about cyber security, because until recent years it’s been neglected and not a high priority to citizens or the companies. The tides are turning very quickly to where it is a high priority, so let’s discuss the future. The future is not entirely human based cyber security. Many have already released their artificial intelligence for security. I am not worried about that, because we are also working on our AI as well. What this type of AI is, isn’t having conversations with people it’s doing analysis of data and finding the issues. We haven’t released our AI yet, but it said to have discovered 30,000 vulnerabilities last time we checked that aren’t known to the public or disclosed to the companies.”

“In 10-15 years, cybersecurity might be about preventing ‘real’ identity theft. In 2017, we call theft of social security numbers and passwords ‘identity theft’. But what if criminals could steal not just these, but also our fingerprints, our brain waves, and even our genetics? This could happen, as passwords get easier to crack. First, we’ll shift to using biometrics like fingerprints and iris scans to authenticate ourselves online. But once hacked, we can’t change these things, so we’ll have to abandon them. We might switch to new methods of authentication, through brain wave sensors or genetics. But these can be hacked too. And the more information we provide, the closer criminals will get to capture our essential selves.”

“Since humans do make mistakes, social engineering will continue to be an effective form of attack in the years to come, no matter the technology controls put into place. It has been long past time for organizations to put more focus on the human side of their security program.

Any security program can benefit immediately by beginning a review of their own internal policies, improving the types of metrics used to measure the success of the program, and consulting with legal counsel to ensure proper insurances and other risk mitigation plans are in place. These activities cost very little, have immediate turnaround timeframes, and can deliver quite a lot of return to the organization.

Perhaps most importantly is to comprehend the behavior of their employees and implement programs to help them work and operate in a more secure manner. Security awareness training and education programs may not be the glitziest pieces of a security program, but they are critical to its success. Even beyond that, is to involve employees more directly and understand why social engineering attacks work on them and to help address any questions and concerns.”

“Regulatory compliance is not just the buzzword du jour when it comes to cybersecurity-compliance is the undeniable future of any company, small or large, especially one seeking a government contract. Recent federal compliance rulings have already significantly impacted many SMB contractors; and as cybersecurity threats continue to proliferate and computer technology and digital culture continue to advance, federal compliance regulations are scheduled to grow. The next 10 to 15 years forecast dramatic revolutions in technology-including advancements in the Internet of Things (IoT) and the growing number of smart connections. As a result, cybersecurity will need to become smarter too. Industries with diverse needs, namely manufacturing, banking, healthcare, higher education or law, will be required to armor themselves with complex cybersecurity solutions, in order to fend off attacks from smart technologies, and federal compliance regulations will serve as guardians in this brave new world.”

“The future of cyber security is an increasing shift away from stronger perimeters and better intrusion detection, to shared notions of identity and reputation rooted in globally accessible systems like DNS. While content-scanning will still have an important role to play in protecting organizations, the first line of defense against attacks will be the ability to verify the source of a request and the reputation of the originator. Security will increasingly become a concern of the internet ecosystem as a whole, and the corresponding solutions will look more like ‘vaccines’ – they will benefit not only the organization that deploys such a solution, but also the parties with whom they interact.”